Solved: Re: Problem with GRE over IPSEC Implementation

Gopinath_Pigili · ‎08-31-2024

Hello I am trying implement gre with ipsec....before ipsec implemenation....I am able to ping from R1 loopback to R3 loopback. But, after ipsec implemenation no communication between them...any help appreciated..!!

Here is the configuration for R1 and R3

R1

ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco@123 address 3.3.3.3
!
!
crypto ipsec transform-set TS1 esp-3des esp-md5-hmac
mode transport
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS1
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 172.16.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 192.168.23.3
tunnel protection ipsec profile protect-gre
!
interface FastEthernet0/0
ip address 192.168.12.1 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 3.3.3.3 255.255.255.255 FastEthernet0/0
ip route 192.168.23.0 255.255.255.0 FastEthernet0/0
!
access-list 101 permit ip host 1.1.1.1 host 3.3.3.3 log
!
R3

ip tcp synwait-time 5
!
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
crypto isakmp key cisco@123 address 1.1.1.1
!
!
crypto ipsec transform-set TS3 esp-3des esp-md5-hmac
mode transport
!
!
crypto ipsec profile protect-gre
set security-association lifetime seconds 86400
set transform-set TS3
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 172.16.0.3 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 192.168.12.1
tunnel protection ipsec profile protect-gre
!
interface FastEthernet0/0
ip address 192.168.23.3 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet0/1
no ip address
shutdown
speed auto
duplex auto
!
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 1.1.1.1 255.255.255.255 FastEthernet0/0
ip route 192.168.12.0 255.255.255.0 FastEthernet0/0
!

MHM Cisco World · ‎08-31-2024

hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
crypto isakmp key cisco@123 address 200.0.0.3
!
!
!
!
crypto ipsec profile prof
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 200.0.0.3
tunnel protection ipsec profile prof
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.0.0.2
ip route 3.3.3.3 255.255.255.255 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
crypto isakmp key cisco@123 address 100.0.0.1
!
!
!
!
crypto ipsec profile prof
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.3 255.255.255.0
tunnel source FastEthernet1/1
tunnel destination 100.0.0.1
tunnel protection ipsec profile prof
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 200.0.0.3 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 200.0.0.2
ip route 1.1.1.1 255.255.255.255 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

View solution in original post

Gopinath_Pigili · ‎09-02-2024

Sorry for the late response..!!

it work's perfectly..!! Thanks for the configuration..!!

previously... i used crypto isakmp key cisco@123 address 3.3.3.3, changed to crypto isakmp key cisco@123 address 192.168.23.3

same way I changed in R3 crypto isakmp key cisco@123 address 1.1.1.1 changed to crypto isakmp key cisco@123 address 192.168.12.1

Thanks

View solution in original post

MHM Cisco World · ‎08-31-2024

Only one step wrong

Instead of using LO IP in crypto isakmp key use tunnel destination.

That it

Do change abd check

Note:- you need static route in each peer of LO the egress interface will be tunnel interface' this route based vpn not policy vpn' so traffic need to encrypt must pass through tunnel

MHM

Gopinath_Pigili · ‎08-31-2024

Still tunnel status is Down

I have done following changes

R1

ip route 3.3.3.3 255.255.255.255 Tunnel0

crypto isakmp key cisco@123 address 172.16.0.3

R3

ip route 1.1.1.1 255.255.255.255 tunnel 0

crypto isakmp key cisco@123 address 172.16.0.1

MHM Cisco World · ‎08-31-2024

Tunnel destination not tunnel IP

Use 192.168.12.1 and 192.168.23.3

MHM

Gopinath_Pigili · ‎08-31-2024

I changed to physical int ip's

R1--> crypto isakmp key cisco@123 address 192.168.23.3

R3--> crypto isakmp key cisco@123 address 192.168.12.1

Still...status down...

MHM Cisco World · ‎08-31-2024

If you remove ipsec profile form tunnel

And do show ip interface breif

Do you see tunnel up/up?

MHM

Gopinath_Pigili · ‎08-31-2024

Yes...it is up

MHM Cisco World · ‎08-31-2024

Show ip route in both peer

Thanks

MHM

MHM Cisco World · ‎08-31-2024

this lab for you
check the routing
and use tunnel destination in crypto isakmp key

MHM Cisco World · ‎08-31-2024

hostname R1
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
crypto isakmp key cisco@123 address 200.0.0.3
!
!
!
!
crypto ipsec profile prof
!
!
!
!
!
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.1 255.255.255.0
tunnel source FastEthernet0/0
tunnel destination 200.0.0.3
tunnel protection ipsec profile prof
!
interface FastEthernet0/0
ip address 100.0.0.1 255.255.255.0
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 100.0.0.2
ip route 3.3.3.3 255.255.255.255 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

hostname R3
!
boot-start-marker
boot-end-marker
!
!
!
no aaa new-model
no ip icmp rate-limit unreachable
ip cef
!
!
!
!
!
!
no ip domain lookup
no ipv6 cef
!
!
multilink bundle-name authenticated
!
!
!
!
!
!
!
!
!
ip tcp synwait-time 5
!
!
!
!
crypto isakmp key cisco@123 address 100.0.0.1
!
!
!
!
crypto ipsec profile prof
!
!
!
!
!
!
interface Loopback0
ip address 3.3.3.3 255.255.255.255
!
interface Tunnel0
ip address 5.0.0.3 255.255.255.0
tunnel source FastEthernet1/1
tunnel destination 100.0.0.1
tunnel protection ipsec profile prof
!
interface FastEthernet0/0
no ip address
shutdown
duplex full
!
interface FastEthernet1/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet1/1
ip address 200.0.0.3 255.255.255.0
speed auto
duplex auto
!
interface FastEthernet2/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet2/1
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/0
no ip address
shutdown
speed auto
duplex auto
!
interface FastEthernet3/1
no ip address
shutdown
speed auto
duplex auto
!
ip forward-protocol nd
!
!
no ip http server
no ip http secure-server
ip route 0.0.0.0 0.0.0.0 200.0.0.2
ip route 1.1.1.1 255.255.255.255 Tunnel0
!
!
!
!
control-plane
!
!
line con 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line aux 0
exec-timeout 0 0
privilege level 15
logging synchronous
stopbits 1
line vty 0 4
login
!
!
end

MHM Cisco World · ‎09-02-2024

Any update about this issue?

MHM

Gopinath_Pigili · ‎09-02-2024

Sorry for the late response..!!

it work's perfectly..!! Thanks for the configuration..!!

previously... i used crypto isakmp key cisco@123 address 3.3.3.3, changed to crypto isakmp key cisco@123 address 192.168.23.3

same way I changed in R3 crypto isakmp key cisco@123 address 1.1.1.1 changed to crypto isakmp key cisco@123 address 192.168.12.1

Thanks

MHM Cisco World · ‎09-02-2024

You are so welcome friend

MHM